How do trust S/MIME certificate in Office 365?
Unlike OWA running on Exchange, Office 365 does not trust any root certificates by default. This causes validation problems when opening digitally signed email using S/MIME. In order to fix this, the Office 365 administrators for your organization must manually import the root certificates your organisation chooses to trust using Microsoft Serialized Certificate Files (*.SST). This article describes this process.
There are two ways to obtain an SST file.
You can obtain an SST file by running the following command:
PS C:\> Get-ChildItem -Path cert:\CurrentUser\my |
Export-Certificate –FilePath c:\certs\allcerts.sst -Type SST
Alternatively, you can obtain an SST file from your computer using the
Certificate Export Wizard.
First you must connect to
Office 365 using PowerShell. Below describes how to do this:
On the local computer, open Windows PowerShell and run the following
commands:
Import-Module MSOnline
$UserCredential = Get-Credential
In the Windows PowerShell Credential Request dialog box, type in your
Exchange Online user name and password and the click on OK.
Run the following command:
$Session = New-PSSession -ConfigurationName Microsoft.Exchange
-ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential
$UserCredential -Authentication Basic -AllowRedirection
Next run this command:
Import-PSSession $Session -AllowClobber
Connect-MsolService -Credential $UserCredential
The Exchange Online cmdlets should be imported into your local Windows
PowerShell session. If you don't receive an error, you can verify
this has worked by using the following command:
Get-Mailbox
If the Get-Mailbox command works, then you are connected to Office 365
successfully.
Once you are connected to Office 365 via
PowerShell, you will then need to import the SST using the following
command:
Set-SmimeConfig -SMIMECertificateIssuingCA (Get-Content
<filename>.sst -Encoding Byte)
After the SST is installed, you will need to get Dirsync to synchronize
using the DirSyncConfigShell and then start-onlinecoexistencesync.
This process generally happens automatically after 30 mins.
When you are finished, it is important to close out the session. You
can do this by running the following command:
Remove-PSSession $Session
When the Dirsync hsa completed, any certificate issued out of a CA that you
have imported should chain up and be trusted.